• @Spotlight7573
    link
    English
    35
    edit-2
    9 months ago

    They’re downplaying their responsibility and the problem while taking a negative tone about the white hat (bold added):

    https://www.cuinsight.com/press-release/cu-solutions-group-issues-statement-on-recent-crm-vulnerability/

    CUSG was notified of this vulnerability by Jeremiah Fowler, a self-acclaimed “researcher” who appears to access corporate systems to expose vulnerabilities, then notifies the organizations regarding their exposure. At least in the case of this incident, he also requested a “bounty” to help fund his research, and then published the information in his blog which was later picked up by a specialized publication called, “HACK READ.” These posts can then be google-searched by other parties including media outlets. CUSG did not agree to pay the requested “bounty.”

    CUSG was in the process of gathering information and preparing a client communication when news of this publication broke. Nowhere in the article is an actual breach alleged. In fact, after exaggerating the incident to readers in an effort to sell their products, even the HACK READ article and Mr. Fowler’s personal blog post point out that the identified vulnerability was secured and rectified “on the same day.” […] In his Website Planet blog, Mr. Fowler has done similar “research/publication” work regarding scores of companies including Software Projects, Australian travel agency Inspiring Vacations, the America Family Law Center, Redcliffe Labs, Deutsche Bank, retailer Hendel Hogar, and numerous others. Again, the motivation seems to be to raise awareness, but also to benefit Mr. Fowler personally in his career as a researcher, writer, and speaker.

    CUSG CEO Dave Adams, summarized this incident this way: “While researchers like Mr. Fowler can help remind us of the importance of good data security, the publication of his findings in ways that potentially disparage corporate brands, create a customer “call to action”, and exaggerate the facts is clearly irresponsible and could place him and others at legal risk if their hacked data ends up being mishandled.

    And of course, the obligatory ‘we have an excellent security team, everyone faces threats, you can’t blame us’:

    Continuing, Adams expressed confidence in CUSG’s Internal Technology security: “For over 30 years, CUSG has operated with the same experienced technology team and leadership that has a stellar reputation for managing IT security on behalf of its stakeholders. While all companies are exposed to the ever-growing threats of cyber-security, and ransomware, CUSG’s team constantly monitors vulnerabilities and makes corrections immediately as needed and then reports to stakeholders with transparency.”

    Basically the standard “we take security seriously”:

    https://www.troyhunt.com/we-take-security-seriously-otherwise/

    “We take security seriously”, otherwise known as “We didn’t take it seriously enough”

    • @Potatos_are_not_friends
      link
      English
      8
      edit-2
      9 months ago

      As a non-participating visitor of security forums (which bleed into malicious hackers), I am looking forward to the popcorn.

      Right now, my job post bug bounties and hackers pen test and find vulnerabilities. And there’s a LOT of money flowing around in that space - my company alone has paid out over 7-figures collectively. A company’s reputation to honoring the agreement is also sacred. Because if we fail to pay or reject that this is a real vulnerability, our rep tanks and the next time there’s a vulnerability, it won’t be reported, but abused.

      CUSG just signalled that they are pieces of shit to the hacker community. And I’m gonna bet they are going to get some serious shit now.

      🍿